CEC1736-TFLX

The TrustFLEX CEC173x-TFLX Trust Shield Family is the Real Time Platform Root of Trust Controller for Servers, Telecommunications, Networking, Industrials, and Embedded Computing applications.

The CEC173x-TFLX is a partially configured and provisioned variant of the CEC173x Trust Shield family of Real Time Platform Root of Trust Controllers. The devices come pre-provisioned with Soteria G3 firmware, and the configuration enables customers to use unique credentials for Application Processor images.

The device configuration is designed to make CEC173x-TFLX support most common use cases, while minimizing the learning and development time to enable product quick time to market.

The CEC173x-TFLX is a highly configurable, mixed-signal, advanced I/O controller. It contains a 32-bit 96 MHz ARM® Cortex-M4F processor core with closely coupled memory for optimal code execution and data access.

The CEC173x-TFLX was designed to meet the NIST 800-193 Platform Resiliency Guidelines, as well as the Open Compute Project (OCP) Security Project requirements.

The immutable secure bootloader implemented in the CEC173x TrustFLEX ROM (Boot ROM) loads and authenticates the embedded controller firmware (ECFW/Soteria G3) from the internal SPI Flash. The Authenticated ECFW (Soteria G3) will then authenticate and validate Application Processor image stored in external SPI Flash.

The validated ECFW (Soteria G3) along with the Boot ROM code supports many additional security features of the device, including Key revocation, Code Rollback Protection and Transfer of Ownership. In addition, the Boot ROM implements Life Cycle Management and SPDM for Attestation. The SPDM implementation in ECFW (Soteria G3) supports commands that return certificates and measurement information for attestation.

Both the Boot ROM and the ECFW (Soteria G3) support more than one public key for image authentication and key revocation. A public key may be revoked, i.e., taken out of service, if the private key becomes compromised.

The Boot ROM and the ECFW also support Rollback Protection, which prevents certain firmware images from being permitted to run in a system. This feature is used if an older image version may compromise the system security.

The CEC173x TrustFLEX SPI Flash Monitor blocks, one instance per Host, maintain Host firmware integrity both during Host Boot and Host Runtime. At Host Boot, it calculates and verifies signatures of the loaded code blocks in real time, while also verifying that the Host’s firmware is executing the correct opcodes from Flash. At Host Runtime, it verifies that only legal Flash accesses are performed, using regional access permission settings, and that no illegal or questionable opcodes (such as Chip Erase) are attempted. Upon seeing an attempted violation of SPI integrity or access rules, it will intervene in real time, in such a way as to cancel a Read, Write, Program or Erase before it can be performed. The Intervention technique works with even the most economical 8-pin standard NOR Flash devices.

The CEC173x TrustFLEX also contains a core Crypto hardware accelerator engine supporting SHA-384, 256-bit AES encryption, ECDSA signing algorithms, Elliptic asymmetric public key algorithms, and a Deterministic Random Number Generator (DRNG). Runtime APIs are provided in the ROM for customer application code to use the cryptographic hardware. PUF ID generation resources and algorithms are included, as well as lockable OTP storage for keys and IDs.

Fused Life Cycle security gives access to these resources only when appropriate for development, test, or production phases.

The CEC173x TrustFLEX is designed to be incorporated into low power designs. During normal operation, the hardware always operates in the lowest power state for a given configuration. The chip power management logic offers two low power states: light sleep and heavy sleep. When the chip is sleeping, it has many wake events that can be configured to return the device to normal operation, for example any GPIO pin.

The CEC173x TrustFLEX offers a software development system interface that includes a serial debug port (UART) and a 2-pin Serial Wire Debug (SWD) interface. Also included is a full 4-wire JTAG interface for Boundary Scan testing (disabled for production).

Download the Trust Platform Design Suite to evaluate the CEC173x TrustFLEX usecases and generate the production files necessary to trigger the Microchip Secure Provisioning Service.

* request the CEC1736 TrustFLEX TPDS extension